tadamsmar wrote:Vanguard does allow you to include upper and lower case when you enter a password. But Vanguard does not check the case when you enter your password. So you don't need to bother with the shift key when you enter letters. Surprise!

Holy cow, you're right. That is so dumb. It's like Vanguard is going out of their way to prevent people from having good passwords. I just don't get it, given how common place longer passwords, capitals, etc., are on the most basic email account.

Another security-related surprise, you don't get notified by email (i.e., at the old address) if someone logs in and changes your email address. So email notifications are not a reliable way to detect unauthorized activity. Also, the your messages on the web site can be deleted so they are not reliable for monitoring.

I personally log in at least once a month and check my email address carefully (no minor changes) on the Overview. I also check the last login time on the Overview, but that check is not useful if you have an automatic aggregator (like Mint) logging in. I do some transaction checking while logged in also. And I try to be careful to check all snail mail from Vanguard.

If you adhere to your responsibilities under Vanguard's online fraud policy (which includes monitoring your account), then your chances of getting hacked are pretty low and your chances of a significant loss is as low as anything gets.

Phineas J. Whoopee wrote:I think I'm in the minority (at least based on how many people used to be vocal on this forum in complaining about Treasury Direct's good security practices while simultaneously complaining about their restricted reimbursement policy), but I would like the access card back.

Does Treasury Direct reimburse losses due to online fraud? TSP (the federal "401k") famously refused to reimburse some losses due to online theft, I have always assumed Treasury Direct would not reimburse. Do you know their policy?

PS: TSP did eliminate online withdrawals and that made theft harder.

Hi tadamsmar,

Searching the forum for td fraud renders this as the top item - in it Mel quotes the law:

tadamsmar wrote:Another security-related surprise, you don't get notified by email (i.e., at the old address) if someone logs in and changes your email address. So email notifications are not a reliable way to detect unauthorized activity. Also, the your messages on the web site can be deleted so they are not reliable for monitoring.

Good points. Does not make me feel better about Vanguard's security.

tadamsmar wrote:If you adhere to your responsibilities under Vanguard's online fraud policy (which includes monitoring your account), then your chances of getting hacked are pretty low and your chances of a significant loss is as low as anything gets.

I understand that it's a good idea to regularly monitor one's account. But I do find it a bit lame of Vanguard to suggest this is a reasonable security measure. Unless I'm checking my account every day (and even then) presumably all that monitoring will do is cause me to be aware of fraud sooner rather than later. But anyone set out to committ fraud is going to do it quickly and move on (this is the typical modus operandi for this type of fraud).

So I don't see how monitoring is going to prevent me from being the victim of some sort of fraud. And it's not even clear to me that catching the fraud quickly will have any particular benefit (like catching the perpetrator).

From my persepctive, if feels like passing the buck. If Vanguard has to say clients that they need to monitor their accounts frequently to be on guard against fraud, it's really just Vanguard taking a security problem that should be their technical problem and instead pushing it off on the client (which may also serve as a potential excuse not to agree to reimburse someone).

If Vanguard allowed better passwords, was not relying on easily hacked security questions (to which most people will naively provide the true answers), and offered the option of key fobs for two factor identification, then I'd be more convinced that Vanguard takes security seriously enough and be less skeptical about their suggestion that it's the client's "responsibility" to keep a watchful eye on their account.

tadamsmar wrote:Another security-related surprise, you don't get notified by email (i.e., at the old address) if someone logs in and changes your email address. So email notifications are not a reliable way to detect unauthorized activity. Also, the your messages on the web site can be deleted so they are not reliable for monitoring.

Good points. Does not make me feel better about Vanguard's security.

tadamsmar wrote:If you adhere to your responsibilities under Vanguard's online fraud policy (which includes monitoring your account), then your chances of getting hacked are pretty low and your chances of a significant loss is as low as anything gets.

I understand that it's a good idea to regularly monitor one's account. But I do find it a bit lame of Vanguard to suggest this is a reasonable security measure. Unless I'm checking my account every day (and even then) presumably all that monitoring will do is cause me to be aware of fraud sooner rather than later. But anyone set out to committ fraud is going to do it quickly and move on (this is the typical modus operandi for this type of fraud).

So I don't see how monitoring is going to prevent me from being the victim of some sort of fraud. And it's not even clear to me that catching the fraud quickly will have any particular benefit (like catching the perpetrator).

From my persepctive, if feels like passing the buck. If Vanguard has to say clients that they need to monitor their accounts frequently to be on guard against fraud, it's really just Vanguard taking a security problem that should be their technical problem and instead pushing it off on the client (which may also serve as a potential excuse not to agree to reimburse someone).

If Vanguard allowed better passwords, was not relying on easily hacked security questions (to which most people will naively provide the true answers), and offered the option of key fobs for two factor identification, then I'd be more convinced that Vanguard takes security seriously enough and be less skeptical about their suggestion that it's the client's "responsibility" to keep a watchful eye on their account.

I agree that Vanguard could do better. The rest of this post is not meant to defend Vanguard.

I don't think you have a well thought-out view of security. Monitoring your finiancial accounts provides one layer of security, even for your credit card and back accounts. For personal bank and credit card accounts, it's written into federal law that you must monitor and report unauthorized activity to ensure that you get reimbursement. Preventing the stealing of your login credentials, and even preventing the removal of funds from your account are only layers in the overall prevention process. Your ultimate goal should be preventing or minimizing unreimbursed losses. That ultimately determines whether you are a victim of a fraud or not. Even Schwab requires monitoring and they are viewed as having the most ironclad reimbursement guarantee in the business.

Unless I'm checking my account every day (and even then) presumably all that monitoring will do is cause me to be aware of fraud sooner rather than later. But anyone set out to committ fraud is going to do it quickly and move on (this is the typical modus operandi for this type of fraud).

That may be true for an account set up directly to buy stocks or etfs. They may be subject to hack, pump, and dump schemes that have been completed quickly in the past. But I think it takes many days to set up a new bank account to remove funds from a Vanguard mutual fund account, so you will have time to get the snail mail notification and phone Vanguard. I think only a dumb crook would even try this because it's too high risk for him. And, as I said above, your goal should be to avoid large financial losses even if there is a successful fraud against one of your financial accounts by ensuring that you will be reimbursed, so you don't want to neglect monitoring even if it's not 100% effective.

Even using 2FA and a dedicated computer where you never use email and never download anything is not certain to work. 2FA (based on cell phone communications) was recently hacked. Microsoft once screwed up on encryption and hackers managed to actually use Microsoft Update to deliver malware. You still need other levels of security.

I appreciate your thoughts, but trust me, I have thought through these type of security issues extensively. Other than learning some new things about the limitations of Vanguard's security protocols, nothing in this thread is new to me.

I think that, as others have pointed out, even if it took several days to set up a new bank account, one could easily be out of town for a few weeks and miss such an occurance. In addition, just becuase Federal law requires people to monitor their accounts does not make this a good or reasonable policy (and I have no doubt that financial institutions have more influence over how these laws are written than consumers).

In the U.S. we always favor convenience over security. Banks in Europe, to my knowledge, generally have much better security procedures (required for all users) at the expense of convenience. But there is no reason why an institution like Vanguard, which is supposed to be more client centric than other institutions, couldn't choose to do a better job and hold itself to a higher standard than that defined by Federal law.

I also am completely not surprised that two factor authentication with cell phones has been hacked. As I mentioned above, security on smartphones is not a mature area. I would not touch banking of any sort on a smartphone. Not least of which, because you can simply lose your phone and thereby provide all sorts of access to your accounts and personal information to anyone who finds it (unless you have implimented security measures to protect yourself from this, whicn in reality almost no one does or understands how to do).

For two factor identification, I think the key fob solution is preferable (RSA's past problems notwithstanding).

In the end, as a whole group, consumers are not going to be very sophisticated about security. Placing the burden on consumers is not realistic. The burden for adquate security has to be placed on the institutions, which have the rescources necessary to impliment and develop these protocols. Yes, very motivated individuals, like people interested in this thread, can take extra measures to protect themselves. But they will ultimately still be limited by the protocols availabe from a particular institution, such as Vanguard, and counting on people in general to behave like the most motivated and sophisticated users is not a solution to the problem.

cb474 wrote:there is no reason why an institution like Vanguard, which is supposed to be more client centric than other institutions, couldn't choose to ...

I think your premise is faulty. I'm a client of both Fidelity and Vanguard. There is no way you could convince me that Vanguard is anywhere near as client-centric as Fidelity is, in my experience. What Vanguard is is client-cost-centric, not client-centric - and not a broad interpretation of client-cost-centric, but rather a quite narrow interpretation of client-cost-centric, focusing on standard, everyday, ongoing costs, i.e., not including the cost of having one's credentials compromised. (Fidelity isn't any better in that regard, but embodies the more generic client-centric perspective for me based on many other aspects of their service.)

This one angle is something that remarkable few of my financial accounts pay enough attention to, at least at this point.

cb474 wrote:In the end, as a whole group, consumers are not going to be very sophisticated about security. Placing the burden on consumers is not realistic.

Given that security invariably will always to a great extent rely on user behaviors (don't write your password down!), placing the burden on provides is not realistic. Stalemate. Everyone has to do their part, even if it is difficult to understand.

bogleblitz wrote:I work in the security field and I think the security on all these investment sites should be the same. One of my favorite security is 2 factor authentication which requires you to put in an additional 6 digit password.

I personally use 2 factor authentication for work, gmail, and blizzard videogames. It is all setup on my smartphone.

Fidelity is currently beta-testing two-factor authentication for some of their account. Fidelity is using VeriSign (now owned by Symantec) VIP Access. I posted instructions on how to sign up for it here: http://www.bogleheads.org/forum/viewtopic.php?f=2&t=108267. Ebay, PayPal, and one of my credit unions is also using VIP Access.

bicker wrote:Given that security invariably will always to a great extent rely on user behaviors (don't write your password down!), placing the burden on provides is not realistic. Stalemate. Everyone has to do their part, even if it is difficult to understand.

I completely agree with your statements about customer service at Fidelity vs. Vanguard customer service. Until recently I agreed with you about not writing down passwords. My experiences of the past few weeks and an interview I heard on NPR changed my mind. Allow me to explain:

One of my New Year's resolutions for 2013 was to improve my cyber-security. I'm an engineering professional that has implemented encryption systems in both HW and SW so I know a little about how they work. I knew that I had reused a bunch of passwords on a bunch of different sites, but until I implemented LassPass in support my New Year's resolution, I had no idea of the extent I was reusing one password. I currently have 128 passwords. This is about twice as many as I guessed I would have. Over half of these sites had the same password when I started the process! I now have 128 unique passwords stored in my LastPass vault. I'm using a Yubi-key to implement two-factor authentication on my vault, but I'm not naive enough to believe that my LastPass vault is hacker-proof.

In contrast, my significant-other who is not technically inclined has all of her passwords written down on a piece of paper stored in a filing cabinet with the name of her cat on it.

Who's more secure; me or my sweetie? I think she is. Her password list is offline. It is hacker proof. If somebody breaks into her house and steals her filing cabinet, they may not even find the list. In any case, when she finds the door broken down she knows she needs to change her passwords ASAP! One of the 128 sites I visit could be hacked and I'd never find out!

Somebody interviewed a writer for Wired magazine that had written an article about being hacked. He too suggested that you use lengthy hard to remember passwords and write them down!

So if the choice is between reusing a few passwords for everything and writing down unique passwords on a piece of paper, I actually think writing them down is better.

As the Wired article pointed out, the biggest vulnerability to our accounts isn't the length or complexity of the passwords, but rather the ease at which someone can have the password reset on your account. That's how the Wired writer got hacked.

So while I think 10 digit passwords at Vanguard are a joke, and the 12 character passwords at Fidelity aren't much better, I think the biggest thing website could do to improve security is to allow users to shutoff online password resets and to train the phone people to NOT allow unlimited guesses at the security questions.

Alskar wrote:Who's more secure; me or my sweetie? I think she is. Her password list is offline. It is hacker proof. If somebody breaks into her house and steals her filing cabinet, they may not even find the list. In any case, when she finds the door broken down she knows she needs to change her passwords ASAP! One of the 128 sites I visit could be hacked and I'd never find out!

I agree with this. People used to worry a lot about writing passwords down, but in this era the vulnerability is not from someone's home being broken into. It's from hackers, viruses, etc. The criminals are working through the network. Unless you're being spied on by the government or something like that, people who break into houses are not looking for passwords (they're looking for money, jewelry, and televisions). So if writing passwords down helps people feel comfortable having longer more complicated passwords then that is an obvious benefitical trade off. Obviouslly you wouldn't want to carry passwords around in you wallet. But in a file at home somewhere is fine.

Alskar wrote:As the Wired article pointed out, the biggest vulnerability to our accounts isn't the length or complexity of the passwords, but rather the ease at which someone can have the password reset on your account. That's how the Wired writer got hacked.

I agree with this also. I hate the security questions. They are there for convenience. But they create one of the biggest vulnerabilities. Anyone who thinks that 99% of users aren't going to just give the real answer to these questions is not realistic. It is much more likely to get a few IT people (who by definition understand these matters much better) to change protocols for everyone's benefit, than to expect that everyone in the world is going to become a sophisticated cyber security expert able to protect their own online activity. Leaving it up to the consumers is basically just taking a "let the buyer beware" stance. On the one side you have a few thousand IT and security people who understand these matters and could make better choices. On the other side you have hundreds of millions of consumers who would need to be educated extensively. I think getting a few thousand already knowledgeable people to do something different is significantly more probable than getting hundreds of millions of not very knowledgeable people to do something different.

Alskar wrote:Until recently I agreed with you about not writing down passwords. ...

What you outlined was not an endorsement for writing down passwords, but rather an endorsement for having unique passwords on each site, something you're doing with your LastPass subscription.

I know you feel that a physical break-in is somehow more evident and more actionable than a break-in to your LastPass subscription, but that doesn't fly for me for several reasons: First, if you're really concerned about that, then there are alternatives to LastPass which don't have an online aspect. With one very secure password you can encrypt a database full of service-specific passwords. It's like taking the page of written-down passwords and making it hard for a thief to read it. Second, the page of written-down passwords is much harder to update and place at multiple locations, so you're sacrificing substantial usability which, for me, renders the approach unacceptable. I need to be able to pay bills, sometimes, from work, or from the road. Sometimes, I need to check my checking account balance before I hand someone a check. Going home and logging onto a service using a paper-based password storage system is a non-starter. Third, there are things you can do even with LastPass that can make breaches as evident as someone breaking into your home and stealing your written-down passwords.

Of course, if LastPass itself is compromised, they would let people know as soon as the breach is detected, perhaps more rapidly than you'd know if someone broke into your home. You may feel that such a breach could be hidden from LastPass, but if someone is targeting your financial accounts, specifically, they could steal your written-down passwords in a similarly surreptitious manner, and if the target wasn't specifically your passwords, then that would be analogous to someone stealing the encrypted data for thousands of LastPass users, meaning it could take them some time to get to yours.

The point isn't to quibble of the details of such equivocations but rather to point out that there are generally such analogies for every aspect - except one: There is no way to encrypt a piece of paper in the same way you can encrypt a database of passwords. That one aspect makes a database of passwords better than a piece of paper, while almost surely all other aspects are comparable in some way.

Alskar wrote:So if the choice is between reusing a few passwords for everything and writing down unique passwords on a piece of paper

Alskar wrote:So if the choice is between reusing a few passwords for everything and writing down unique passwords on a piece of paper

But that's not the choice. <shrug>

bicker, in principal I agree with what you're saying, but in practice I think Alskar is right. Most people are really really really not very sophisticated about their computer use. Only a very marignally small percent of people are ever going to bother to figure out enough to even know about LastPass (and the like), let alone use it. But I know several fairly unsophisticated computer users who have come up on their own with the multiple different complex passwords written down on a piece of paper kept in a file.

I know LastPass seems pretty simple to people like you and me and Alskar, who are thinking about this (and probably just have some personal, if not professiional, interest in technical things). But for most people they're just not going to get it and have other things to worry about in their life. So as a general solution to the problem for most people, it's a choice between fairly crude solutions. The piece of paper solution in this practical reality, I think, is very often the superior solution.

This is also why I've said above the burden really has to be on the service providers (for example to offer, if not insist on two factor authentication). A simple key fob, for the most important institutions (like a bank) solves this problem. It's common place, I believe, in some places outside the U.S. If we want a general solution that most people will actually use in practical reality, the responsibility has to fall on the handful of more sophisticated behind the scenes people (at the service providers) to create protocols that everyone can use and then require their use. Otherwise, it's just never going to happen. A few of us will get it right and everybody else will be vulnerable.

I would sooner recommend telling people to come up with a "formula" than write down actual passwords.

The formula approach doesn't get much airplay, and I think that's a shame. It involves putting together passwords from different easily memorable components, at least one of which varies from website to website. The variable component is typically some part of the host name of the website, but the company name could be used instead.

Here's an example.

1) The first two characters of the password are the first and third characters of the host name. 2) Then add on the number of characters in the host name.3) Then, for websites that permit special characters in the password, add on one of the special characters that seem to work on every website that supports any special characters, !@$%_.4) Then add on a consistent password component with at least 8 characters, with at least one capital letter and one lower case letter. You may have to truncate to fit.

So for this forum, if your consistent password component is BeepBeep and your special character is $, your bogleheads.org password would be bg10$BeepBeep. That's considered by Microsoft to be a "Strong" (though not "Very Strong") password.

And what you can very safely do is keep a text file somewhere with the host names, and their password rules:

This is, of course, public information, so the only thing unique to you that could be considered even remotely sensitive is the specific list of host names, identifying where you have accounts, but I suspect most people have that in their browser history and/or bookmarks, and if you're especially concerned, just add a bunch more for services that you don't use.

bicker wrote:I would sooner recommend telling people to come up with a "formula" than write down actual passwords.

The formula approach doesn't get much airplay, and I think that's a shame. It involves putting together passwords from different easily memorable components, at least one of which varies from website to website. The variable component is typically some part of the host name of the website, but the company name could be used instead.

What you're describing is a variant of what I was using prior to LastPass. I used themes from classical music transposed down the alphabet by the an amount determined by a formula using the binary representation of the third character in the domain name assuming ASCII encoding. It made me pretty good at remembering the binary values for ASCII characters but it made it difficult for me to change password frequently which is one of the things security experts recommend.

Writing down passwords wouldn't work for me, as I travel quite a bit and having a password list in my wallet seems nuts even if it were encoded in some fashion. However, I'm convinced for the majority of users I think it really is a choice between reusing a handful of passwords for everything or writing them down. I'm saying that writing them down is better than reusing one or two. My 87 year old father calls me twice a week to get the password to his Netflix account. He uses the same password for everything else. Drives me a bit nuts!

I agree that I'm endorsing the use of unique passwords. I've chosen LastPass to assist me with doing that, but honestly I don't see LastPass working for everybody...it's too technical. Keepass is even worse. I've seen articles that say one should absolutely never, ever write down your password(s). The natural response to that is to use the same password for everything, which in my view is worse than writing them down.

I think a formulaic approach, like the one you describe or a "pattern on the keyboard" approach are other valid approaches that are probably better than writing them down. One warning: If you use the "pattern on the keyboard" approach, it may backfire on you. For example, the US keyboard has some numbers and letters in different places than on the Swedish keyboard. When trying to enter a password created on a US keyboard on a Swedish keyboard it can get a bit tricky!!

cb474 wrote:I hate the security questions. They are there for convenience. But they create one of the biggest vulnerabilities. Anyone who thinks that 99% of users aren't going to just give the real answer to these questions is not realistic. It is much more likely to get a few IT people (who by definition understand these matters much better) to change protocols for everyone's benefit, than to expect that everyone in the world is going to become a sophisticated cyber security expert able to protect their own online activity.

I agree with what you say but don't think you go far enough. You understate the culpability of both the institutions and the "security experts" who say you should not give real answers to security questions. They are training people to ignore security instructions from the institution, to lie to financial institutions and to follow plausible advice from random strangers. If people don't get into the habit of following instructions from the institution there is no path to security. If people follow plausible advice from strangers there is a superhighway to social engineering.

Anybody who actually cares about general security would concentrate on the errors of the institutions and stop telling the public how to "cleverly" work around the institutional failures. Or at least move the workaround to a footnote in an article hammering the institution.

bogleblitz wrote:Also another reason why the 2factor key isn't used more often is price. My guess is that eachToken key cost $20 per person per year for license and maintenance.

I got three Yubi-keys (http://www.yubico.com for $50 just before Christmas. No batteries and no on-going license fees.

In any case, I believe that hardware tokens are a bit passe these days. So-called "soft" tokens seems to be all the rage now. RSA has had a soft-token for several years. I had one over three years ago on my Blackberry.

The VIP Access app is free. No fees to use it on any of the website I've enabled for VIP Access.

There are also so-called "grid" systems, where one prints out a grid of numbers and letters. This means carrying a piece of paper with you with the grid on it, but the grid is considered to be a second factor (aka "something you have"). LastPass supports using a grid.

bogleblitz wrote:In any case, I believe that hardware tokens are a bit passe these days. So-called "soft" tokens seems to be all the rage now. RSA has had a soft-token for several years. I had one over three years ago on my Blackberry.

I think RSA is the most expensive. I use their soft token too. I heard their price for soft token vs hard token is almost the same. Companies need to pay RSA per user per year. I don't have to pay, but my company does.

The 2 factor RSA token 25 year patent has expired so other companies can make them. It is much cheaper for companies to use other brands or build their own. RSA is probably still the most used for work. One of my friend has 6 different RSA tokens at work to login to different financial companies.

I understand why from a convenience point of view using a smartphone app to do what a hardware token does is appealing. But cell phones are so insecure it's ridiculous. Apple and Google and others really aren't focusing on security on these devices anywhere close to what has been done on the desktop. As I said above, I would just never use my smartphone for any type of banking purpose. It's asking for trouble.

And exactly what you don't want is to have your security token function in the ultimate networked communication device. Part of the whole benefit of the separate hardware token is that you need to physically have the token. But if you can at least hypothetically access the soft token app remotely, well it's only a matter of time until someone does.

Did people read about how security experts were able to completely take over all functions of a Samsung Galaxy S3, using the NFC reader, without requiring any interaction (opening an attachment etc.) from the user?

HSBC online is very secure. To log in you use the typical user name and password, then they have a secondary password that you dont enter by key, but by a virtual keyboard on their website. And you dont fill in all the characters. Lets say the virtual screen password is 9 characters long, random spaces will be filled in with an "X" and you fill in the rest with the correct characters. The spaces change randomly when signing on.I wish vanguard and other sites can follow this method.

cb474 wrote:I understand why from a convenience point of view using a smartphone app to do what a hardware token does is appealing. But cell phones are so insecure it's ridiculous. Apple and Google and others really aren't focusing on security on these devices anywhere close to what has been done on the desktop. As I said above, I would just never use my smartphone for any type of banking purpose. It's asking for trouble.

I understand what you're saying, however, I don't think hardware tokens are any more secure than soft tokens. Here's why:

At my last job I spent a ridiculous amount of time trying to make the product I was designing difficult to counterfeit. The intellectual property in that product was really in the firmware running on a DSP processor. We wanted to make it REALLY difficult to copy the firmware. In the old days, that wouldn't have been that difficult. However, there are now places in China that will, for a modest fee (<$50 (USD)) copy the firmware from just about anything. They do this by removing the part containing the firmware from the board. They remove the lid of the part with nitrite acid or whatever, and power it up in a fixture under a FIB (Forced Ion Beam) microscope. While running the processor normally (to defeat the "tamper protection" circuit) the lower the temperature of the processor to near absolute zero using liquid nitrogen. At some point the clock stops running, but because it's so cold the tamper-circuit isn't working either. Then using the FIB microscope they scan the memory of the device to see if each cell has charge or doesn't have charge. They then recreate the contents of the memory and from that a programming file that can be used to make exact duplicates of the part they copied.

So IMHO it wouldn't take that much to hack a hardware token. So while HW tokens have different risks than SW tokens, I would be hard-pressed to decide which one is more vulnerable. Soft tokens can be easily reset. That's harder to do with a HW token. The soft token is in a device with wireless access, which is a vulnerability, but HW tokens once hacked are difficult to re-seed.

I remain convinced that the most-vulnerable point of my accounts is the ease with which one can get the password reset. 10 character passwords are a joke, but why bother with that when one can just request a password reset. At that point your Vanguard account is no more secure than your email account, which for most people isn't very secure at all.

Another security-related surprise, you don't get notified by email (i.e., at the old address) if someone logs in and changes your email address. So email notifications are not a reliable way to detect unauthorized activity.

This is not true. Last week I changed my email address on file at Vanguard and they not only sent me an email at my old email address that I had changed, but they sent me a snail mail letter informing me of this as well.

That comic came to mind as soon as I started reading this thread. The military is especially bad about this. All of their passwords require 2 upper, 2 lower, 2 numbers, 2 special chars. I find the passwords so difficult to memorize that I find myself using the same password over and over.. which really renders me much more vulnerable. If only more people knew about this comic.

Alskar wrote:I understand what you're saying, however, I don't think hardware tokens are any more secure than soft tokens. Here's why:

[Account of how to hack hardware]

I remain convinced that the most-vulnerable point of my accounts is the ease with which one can get the password reset. 10 character passwords are a joke, but why bother with that when one can just request a password reset. At that point your Vanguard account is no more secure than your email account, which for most people isn't very secure at all.

I appreciate the technical details and you are quite right that the password resets, etc., are the weakest link and need to be fixed first. However, you're missing one of the design characteristics of cyphers. Cryptographers assume that the code is public, only the key needs to be secured. The key is the only secret. In a well designed system the key will be different for each token.

Reverse engineering a particular hardware token will give the code (for the whole system) and the key for that particular token. In a good system the code is already published, so that is not a problem, and the key only lets you fake that particular token, people using other tokens are safe.

So to break a well designed hardware token you have to steal and disassemble the particular token of the person you want to attack. This gives the victim an opportunity to notice the theft and forces the bad guys to attack one token at a time, so they get no economies of scale.

Compare this to a soft token in a smart phone. Each person's key is in his phone. If the bad guys can find a way to attack a phone over the network they can get the keys without alerting the victim and they can automate the attack on millions of victims without much extra work.

Epsilon Delta wrote:I appreciate the technical details and you are quite right that the password resets, etc., are the weakest link and need to be fixed first. However, you're missing one of the design characteristics of cyphers. Cryptographers assume that the code is public, only the key needs to be secured. The key is the only secret. In a well designed system the key will be different for each token.

I'm no expert on security, but I don't believe the two-factor authentication system I'm describing has anything to do with cyphers or public key exchange. Which is to say, I don't believe the hardware or software token contains any kind (public or private) key. Rather, the token contains hardware or software that generates a pseudo-random six digit number based on a "secret" algorithm. The host system and the key are initialized with the same seed value. Every thirty seconds the next number in the pseudo-random sequence is independently created by the host system and by the token. If the user correctly enters the current pseudo-random number, the host assumes he or she is in possession of the second-factor (aka "something you have") and allows entry. Like I said, I'm no expert, but I imagine there has to be something that synchronizes the clock in the host with the clock in the token. I'm imagining that HW tokens are synchronized to NIST and have a time-reference that is accurate enough not to drift too far off before the battery expires. SW tokens on smartphones can synchronize over the web.

In the case of RSA I believe what was stolen was the "secret" algorithm for generating the pseudo-random sequence as well as the method for creating seed values. I hypothesize that with enough effort the same information could be extracted from HW tokens. This would make ALL of that generation of tokens vulnerable. Once you know the length of the pseudo-random sequence and the algorithm, and a sufficient number of the numbers in the sequence, I believe it would be possible to extract the seed for any particular HW token. My math skills aren't good enough to know how many numbers one would have to capture in the sequence to be able to predict the next number.

If I am completely out in left-field, please educate me.

Here's my point in a nutshell: From my point-of-view, I don't see HW tokens as being clearly more secure than SW tokens. Each has their vulnerabilities and their strengths. For example, I think HW tokens are more susceptible to a so-called "social engineering" attack than the SW token on my phone. I keep my phone in my pocket all of the time. I don't feel dressed without it. I've never lost it. I can't say the same thing about a HW token. If I had one, I imagine it would be in my computer bag or backpack most of the time. Somebody could call from the lobby, distract me and have an accomplice steal my HW token.

Alskar wrote:I'm no expert on security, but I don't believe the two-factor authentication system I'm describing has anything to do with cyphers or public key exchange. Which is to say, I don't believe the hardware or software token contains any kind (public or private) key. Rather, the token contains hardware or software that generates a pseudo-random six digit number based on a "secret" algorithm. The host system and the key are initialized with the same seed value. Every thirty seconds the next number in the pseudo-random sequence is independently created by the host system and by the token.

In this case the "key" is the seed value* for the pseudo-random number generator. Unless tokens are supposed to be interchangeable each token must have a different seed. Different seeds are needed so different tokens step through different series of numbers. The tokens should be seeded with real random numbers which are also stored at the host along with the username and password. As long as the seeds are secret the designers can use one of the standard cryptographic pseudo random number generators, and announce it to the world with no loss of security.

Again the algorithm is not secret, only the seed is secret and the seed is different for each token so hacking one token does not hack them all.

* more generally the internal state of the generator.

Alskar wrote:In the case of RSA I believe what was stolen was the "secret" algorithm for generating the pseudo-random sequence as well as the method for creating seed values. I hypothesize that with enough effort the same information could be extracted from HW tokens.

It was the list of seeds that was stolen, the algorithm was already known (although I believe this had been reverse engineered rather than published by RSA). Some customers managed the seeds themselves (so the seeds were not in the RSA database) and these customers remained secure.

Alskar wrote:Once you know the length of the pseudo-random sequence and the algorithm, and a sufficient number of the numbers in the sequence, I believe it would be possible to extract the seed for any particular HW token. My math skills aren't good enough to know how many numbers one would have to capture in the sequence to be able to predict the next number.

As far as we know if you use one of the known secure algorithms, then knowledge of the algorithm and any plausible subset of the sequence is insufficient to calculate either the initial seed or the next number with available computing resources.

Heres another possible scheme that shows a clearer link between these tokens and encryption. Are you familiar with public key encryption? You can use public key encryption for tokens. The token would have the private key, any hosts linked to the key would have the public key. To generate a number the token would encrypt the current time with the private key. The host can use the public key to decrypt the time, and verify that it is close enough to "now" before allowing access. The most obvious way to break this scheme is to find the private key, but that only exists in the individuals token. Keeping that token off line makes it harder to get.

The point that you are more likely to notice a missing phone than a missing token is relevant. One solution would be to glue the token to the phone . Math can only do so much and the human factors are much more difficult.

Epsilon Delta wrote:The most obvious way to break this scheme is to find the private key, but that only exists in the individuals token. Keeping that token off line makes it harder to get.

The point that you are more likely to notice a missing phone than a missing token is relevant. One solution would be to glue the token to the phone . Math can only do so much and the human factors are much more difficult.

Thanks for the lenghty explanation. I don't know nearly as much about this as you do, but this is also my take on it. To hack a particular individual's hardware token you physically have to have the token. To hack a software token you could hypothetically do it through the network connection (or bluetooth or NFC, etc.). This intrinsically makes the software token significantly more vulnerable.

I think this is akin the the discussion about about writing passwords down on a piece of paper at home vs. having really bad but easy to remember passwords. To hack the bad password you just need to run a dictionary attack from anywhere in the world or run a few good guesses or do some social engineering, at almost no risk of being caught. To hack the good passwords on the list at home you have to break into the persons home and find the list and know that they have something to steal in their accounts worth the level of effort and risk.

Criminals like convenience too, as well as reducing risk. Most crimes that happen are the ones that are easiest to committ. So in the case of the hardware token hacking vs the software token hacking, as in the case of breaking into someone's home to steal a password list vs. hacking really simple easy to remember passwords, one thing is far more probable than the other and that effects security.

With the hardware token you could also just leave it at home, making it even more secure, as long as you don't mind the inconvenience of only being able to access certain accounts at home. I also believe most of these tokens are designed to serve as or easily go onto a key ring. Most people are just as cautious with their keys as their cellphone, so I really don't see why one is more likely to be lost than the other. And as Epsilon Delta points out, if you lose the hardware token you immediately know that you have a problem to be fixed (as you would if you lost your keys). But with the software token you could be compromised and have no idea until it's too late.

Nonetheless, to me it's obvious that financial institutions and others will gravitate to the software token solution, because it is cheaper to implement (just download an app) and more convenient. And cost and convenience all too often seem to be the determining factors in selecting security protocols, rather than security itself.

That comic came to mind as soon as I started reading this thread. The military is especially bad about this. All of their passwords require 2 upper, 2 lower, 2 numbers, 2 special chars. I find the passwords so difficult to memorize that I find myself using the same password over and over.. which really renders me much more vulnerable. If only more people knew about this comic.

Yeah, I am starting to think we're all being taught the wrong thing about how to choose a secure password. Here's another interesting site that makes the point that the focus on entropy in passwords (produced though random numbers and large character sets) is misplaced. It is much easier to make a more secure password by simply "padding" easy to remember passwords with long strings of easy to remember character patterns. Length is what matters, much more than entropy. Which is once again why Vanguard is doing its customers no service by limiting passwords to a measily ten characters. The only way to extract even a halfway decent password out of ten characters is to maximize entropy, which means really random passwords which are hard to remember.

Another security-related surprise, you don't get notified by email (i.e., at the old address) if someone logs in and changes your email address. So email notifications are not a reliable way to detect unauthorized activity.

This is not true. Last week I changed my email address on file at Vanguard and they not only sent me an email at my old email address that I had changed, but they sent me a snail mail letter informing me of this as well.

Another security-related surprise, you don't get notified by email (i.e., at the old address) if someone logs in and changes your email address. So email notifications are not a reliable way to detect unauthorized activity.

This is not true. Last week I changed my email address on file at Vanguard and they not only sent me an email at my old email address that I had changed, but they sent me a snail mail letter informing me of this as well.

cb474 wrote:Thanks for the lenghty explanation. I don't know nearly as much about this as you do, but this is also my take on it. To hack a particular individual's hardware token you physically have to have the token. To hack a software token you could hypothetically do it through the network connection (or bluetooth or NFC, etc.). This intrinsically makes the software token significantly more vulnerable.

When people are asked which is more risky, flying in a jet or taking a shower at home, most people say that flying in a jet is riskier, but in reality taking a shower is many times riskier than flying in a jet. Similarly, HW tokens may seem more secure than a SW token, but when I think about the likely attacks, I actually think SW tokens might be more secure. Sure, the SW token can be attacked wirelessly, but the HW token has come vulnerabilities that could make it more easily hacked than a SW token. Here are my thoughts:

I work in high-tech. Starting in around 2006 my employer started requiring the use of SecureID HW tokens to access the corporate network through a VPN. Everybody in engineering got a token. I don't remember a single person carrying the token with them. The token was too bulky to fit in one's pocket. Virtually everybody stuck it in their purse, computer bag, backpack, etc. Since, unlike a cellphone, the HW token only served a single purpose, it was easy to forget. People did it ALL THE TIME. What would they do? They would call in to the office and have somebody read the current number on their token or borrow somebody else's login credentials. This is makes the system highly susceptible to a social-engineering attack. Just call into the office, pretend to be some contractor or other person that one doesn't see every day, get their login credentials and voila, you're in. Read "Ghost in the Wires" by Kevin Mitnick if you think this is unlikely.

Similarly, I don't think it would be that difficult to steal an unattended HW token, write down several of the numbers in the sequence and by knowing the PRNG alogrithm determine the seed. Then you can return the token and the user will never know it was gone. Then by knowing the time you will know which number is currently showing on the HW token, without even possessing it. That pretty much eliminates it as the second factor (something you have).

When we switched to SW tokens in the Blackberry's a few months later, the whole problem stopped. Everybody had their Blackberry. A few BB's when for swims in the toilet, but that wasn't a security issue. Somebody calling in to ask for login credentials raised immediate suspicion.

Another thing: If the SW token algorithm is hacked it is a simple inexpensive thing to update the firmware and release a new app. That would be a very expensive and time-consuming problem for HW tokens.

Summary: I would need more evidence before I could conclude that SW tokens are less secure than HW tokens. I see that each have different vulnerabilities, but I can't say which set of vulnerabilities is more severe than the other. Based on my experience with HW tokens from years back and my current experience with SW tokens, I'll take a SW token over a HW token every time.

Alskar wrote:Similarly, I don't think it would be that difficult to steal an unattended HW token, write down several of the numbers in the sequence and by knowing the PRNG alogrithm determine the seed.

I am repeating myself, but I may have buried the lede.

This is harder than you imagine. There are a number of cryptographic PRNG that, as far as we know cannot be broken. In this case broke means calculating the next term or the seed (which would allow you to calculate the next term). They cannot be broke even if you are given

The complete algorithm

billions* of consecutive terms from the sequence

All the computing power in the world for a year*

If you manage it from several numbers you will have made a big* splash in the world of security and a somewhat smaller splash in the world of pure and applied mathematics.

Vanguard's security appears to be good enough. We have no reports of their security being compromised in any systematic way. Beyond that all we have is pure speculation.

I will say the 10 character password limit indicates nothing about the system as a whole. 10 character passwords are all that is required if the rest of the security system is done right. It is only less secure under extremely low-probability scenarios, requiring that a hacker 1) gets access to the institution's database of usernames, salted and hashed passwords and the salting and hashing algorithms, yet 2) somehow does not get access to the parts of the database or code that would allow them to engineer a more direct theft, 3) has the computer power and time to brute force a 10 character password, 4) does not have the computer power and time to brute force a longer password, 5) out of the tens of millions of Vanguard accounts, yours is one of the ones that is successfully broken before Vanguard security figures out what is going on and locks down the system, and 6) the thieves are able to intercept the mailed communications from Vanguard notifying you of changes to your e-mail or mailing address (or mailed checks).

5 is actually a very important point and suggests how to best protect yourself even in this unlikely setup. Any brute-force hacker is going to go the low-hanging fruit. Rather than run 20,000,000,000 combinations against one username and then going to the next one, they are going to try a couple thousand of the most commonly used passwords against every name. And then, if necessary, do it again with a couple thousand more likely passwords. At some point they'll stop because they'll have a larger set of broken accounts than they will be able to use before getting discovered. So don't use a password that is likely to be common: no single words/acronyms or common two or three word phrases padded out with numbers, or numeric series padded out with letters.

Vanguard isn't likely to publicly announce any breach of their system. Note that Kevin Mitnick hacked into the networks of the top three cellphone manufacturers of his day and stole the source code for their best selling phones. None of them reported the breach. This became an issue during Mitnick's trial when the same cellphone manufacturers claimed huge losses due to Mitnick, but never reported these losses to their shareholders.

It may be more difficult these days, but from reading "Ghost in the Wires", a ghost-written account of Mitnick's hacking during the 80's and 90's, it doesn't seem like he had very much difficult getting the access to the hashed passwords or cracking them. It is only difficult if you assume a frontal attack. Virtually all of his attacks described in this book had an element of social-engineering that exposed the password file. By his description, he was routinely able to gain access to password files.

Mail from Vanguard to my home on the West Coast of the US takes about 5-6 days. I view Vanguard use of US Mail to notify me of a password change or suspicious activity on my account as charmingly antiquated. Emails and text message arrive in my left-front pocket within seconds!

I'm also skeptical of Vanguard's ability to know when they've been hacked. Case in point: Heartland Systems Payment Systems hired several security companies to look for spyware Heartland suspected was in their system, but couldn't find on their own. I don't remember the details, but as I recall 3-4 security firms Heartland hired specifically to look for spyware said their system was clean. The 4th or 5th company finally found the spyware that had been planted in Heartland's system months before.

It does seem like Vanguard wouldn't make that great of a target. They have lots of money under management, but getting it out is going to leave a big paper trail to follow. Vanguard might be suspicious if millions of dollars were suddenly wired from dozens of accounts to an account in the Caman's!

I'm no security expert, but I would feel much better if Vanguard implemented a system that would support longer and more complex passwords.

My comment about the likelyhood of Vanguard publicly disclosing that there system had been hacked was based on a security seminar I attended about two years ago. The speaker spoke about how little public communication there is about data breaches. He felt that only around 10% of the data breaches were ever reported. Most companies fix the vulnerability and move on. It is extremely damaging to a financial institution's reputation to public announce that their systems have been breached. It is very hard to know how common data breaches are when most companies are not forthcoming about break-ins.

A security researcher from Google, Elie Bursztein, did a study (http://www.thawte.com/about/news/?story=368849) that showed around 20% of Internet users had had their online accounts compromised in some fashion. Bursztein concluded, "This [is] a much higher percentage than I imagined and it emphasizes how pervasive account compromises are."

The fact that these three companies (and LinkedIn for that matter) disclosed the breach says nothing about the prevalence of breaches in general. Most of the "experts" say it is more common that one might believe from reading the news.

In the case of Zappos, it is likely that their credit card processor demanded that they disclose the breach to potentially limit the cost to the credit card companies due to fraud.

For me, I have no faith that Vanguard would public report a breach. I have a great deal of respect for Vanguard mutual funds and ETF's, and little to no respect for Vanguard's IT infrastructure or customer service. For me, I have a difficult time believing that even though the Vanguard website is so bug-riddled as to be barely functional, that Vanguard security is top-notch. It is possible that Vanguard security is terrific, but I doubt it.

My comment about the likelyhood of Vanguard publicly disclosing that there system had been hacked was based on a security seminar I attended about two years ago. The speaker spoke about how little public communication there is about data breaches. He felt that only around 10% of the data breaches were ever reported.

Did he provide you the statistics about how many data breaches actually expose customer data? I don't have that data handy but without it, the fact that only 10% of breaches are ever reported is useless with regard to the concern about customer data. What data I do have handy is that 75% of breaches are people misusing data that they actually did have access to, typically trade secrets. (Shaw, Stock, December 2011.) Why would you expect a company to reveal to the public that their own secrets have been stolen?

Alskar wrote:For me, I have no faith that Vanguard would public report a breach.

Because federal or state laws required them to do so. For financial institutions, Title V of the Gramm-Leach-Bliley Act of 1999 covers the safeguarding of customer information, including notification requirements in case of a breach.

From what I've heard in seminars and from what I've read, incidences of data breaches are grossly under reported and are on the rise. I think Vanguard can and should do more to insure the security of their systems. If for no other reason than to keep expenses down by limiting losses. Obviously, you're free to disagree with me.

From what I've heard in seminars and from what I've read, incidences of data breaches are grossly under reported and are on the rise.

General discussions of computer security tell us nothing about the specifics of Vanguard's security.

Alskar wrote:I think Vanguard can and should do more to insure the security of their systems. If for no other reason than to keep expenses down by limiting losses.

It is impossible to draw the conclusion that Vanguard is not doing enough to ensure the security of their systems based on the data available to us. I have discussed the 10 character password limit extensively above. Could you please show me where I have erred before continuing with your claim that it is somehow indicative of lax security on Vanguard's part?

Speaking as a moderator... Absent any supporting information, insinuations of unlawful behavior - in this case that Vanguard would be willing to cover up major security breaches in violation of the GLBA - are not acceptable on this site.

Alskar wrote:For me, I have a difficult time believing that even though the Vanguard website is so bug-riddled as to be barely functional, that Vanguard security is top-notch. It is possible that Vanguard security is terrific, but I doubt it.

A site with adequate security is indistinguishable from one that is so buggy that it is barely usable. Look at all the complaints directed at treasury direct.

Strictly speaking, the GBLA does not required public disclosure, it only requires disclosure to customers where it is reasonable to assume the customer is impacted by the breach. But, as a practical matter, that would probably result in public disclosure if the breach involved a lot of retail customers. More here, starting on page 17:

Note that federal breach disclosure laws are sector based, so the fact that some web sites fail to disclose breaches is not evidence that the financial sector is not required to disclose breaches. Looks like only the financial, health care, and federal sectors are subject to requirements.

Alex Frakt wrote:It is impossible to draw the conclusion that Vanguard is not doing enough to ensure the security of their systems based on the data available to us. I have discussed the 10 character password limit extensively above. Could you please show me where I have erred before continuing with your claim that it is somehow indicative of lax security on Vanguard's part?

Speaking as a moderator... Absent any supporting information, insinuations of unlawful behavior - in this case that Vanguard would be willing to cover up major security breaches in violation of the GLBA - are not acceptable on this site.

I completely agree with you: It is impossible to conclude anything about the security of Vanguard's infrastructure based on the information available to us. I am merely voicing my concern that Vanguard's security may be like Vanguard's website, which I perceive to be amateurish. In a world of rising numbers of hacking attempts and successes, I see this as a threat to Vanguard's low-cost structure.

I believe where we disagree is on what you call "...extremely low-probability scenarios..." I don't see this as an error on your part. Rather I see this as a point where we disagree. I posted some links that show that approximately 20% of internet users have had their online accounts compromised in some fashion http://www.thawte.com/about/news/?story=368849). If 20% of internet users have been affected, then it is not extremely low-probability IMHO that there are more direct attacks going on.

If you're interested, I think you might enjoy reading "Ghost in the Wires" by Kevin Mitnick. It is absolutely astounding what he was able to do. For example, he wire tapped the people that were wire tapping him.

Here's where I am coming from: In the late 90's I was part of the Digital Display Working Group (DDWG), the group that created the Digital Visual Display (DVI) standard. The Motion Picture Association of America (MPAA) was very troubled by the idea of their copyrighted content being sent over an unencrypted digital interface. Intel, the promoter of DVI, created the High-Bandwidth Digital Content Protection (HDCP) standard to assuage their fears. I sat in numerous meetings where "cryptology experts" expounded on the difficulty of cracking HDCP. They put into place elaborate key revocation and protection methods. The MPAA was happy. DVI rolled out (if my memory serves) in 1999. On November 5, 2001, Scott Crosby from Carnegie Mellon and some others from Berkley presented a paper "A Cryptanalysis of the High-bandwidth Digital Content Protection System" (http://www.cypherpunks.ca/~iang/pubs/hdcp-drm01.pdf) that outlined how to get around HDCP. HDCP lasted less than two years before it was compromised. In 2010 the HDCP master key was hacked with $250 worth of hardware (http://www.engadget.com/2010/09/14/hdcp-master-key-supposedly-released-unlocks-hdtv-copy-protect/). At this point HDCP is nearly useless.

During roughtly the same time frame, I was also sitting on the IEEE 802.11 committee. Wireless security was a huge concern. I sat in the audience during one presentation on the new "unbreakable" encryption system. Apparently unfamiliar with the term "hubris", they named the new standard "Wired Equivalent Privacy" or WEP. In less than 18 months I sat in another conference room and watched another "crypto expert" hack the WEP password and break into a random audience member's laptop in less than 8 minutes. That led to TKIP which led to WPA. I understand that WPA can now be hacked in less than 1 minute: http://www.pcmag.com/article2/0,2817,2352231,00.asp

With all of these experiences I think you can probably forgive me if I remain skeptical that the Vanguard 10 character passwords that treat upper and lower case letters as equal are that difficult to crack. You say it would require access to the hashed password file. Read "Ghost in the Wires" and see if that doesn't change your mind about how hard that file is to obtain. The vast majority of Kevin Mitnick's hacks had an element of social-engineering. Don't assume that the hack is going to be a straightforward assault on the network. Read the first chapter of "Ghost in the Wires" for a description of a typical hack.

I apologize if it seems like I'm itching for a fight. I really am not. I am quite concerned about online security in general and Vanguard's security in particular. It seems to me that at a minimum Vanguard should permit longer passwords as that exponentially increases the time it takes to hack them.

One way to for a large firm address the the liability cost related to cyber security would be to get cyber insurance and negotiate the rate down based on the practices that the insurance company requires to lower the rates.

Vanguard, of course, has an fraud reimbursement guarantee and other responsibilities that lead to a liability from cyber risk. But I don't know if they have cyber insurance or other business insurance to cover these risk.